Description of problem: During installation of undercloud for OSP8 and/or OSP9 using: > openstack undercloud install it fails on nova-api > Error: Could not start Service[nova-api]: Execution of '/bin/systemctl start openstack-nova-api' returned 1: Job for openstack-nova-api.service failed because a timeout was exceeded. See "systemctl status openstack-nova-api.service" and "journalctl -xe" for details. in nova.log exception show failure of sudo nova-rootwrap: > 2018-10-11 13:55:47.710 4825 DEBUG oslo_concurrency.processutils [-] u'sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c' failed. Not Retrying. execute /usr/lib/python2.7/site-packages/oslo_concurrency/processutils.py:375 > 2018-10-11 13:55:47.711 4825 DEBUG oslo_concurrency.lockutils [-] Lock "iptables" released by "nova.network.linux_net._apply" :: held 3.790s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:265 > 2018-10-11 13:55:47.713 4825 CRITICAL nova [-] ProcessExecutionError: Unexpected error while running command. > Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c > Exit code: 1 > Stdout: u'' > Stderr: u'sudo: PAM account management error: Authentication service cannot retrieve authentication info\n' > 2018-10-11 13:55:47.713 4825 ERROR nova Traceback (most recent call last): > 2018-10-11 13:55:47.713 4825 ERROR nova File "/usr/bin/nova-api", line 10, in <module> > 2018-10-11 13:55:47.713 4825 ERROR nova sys.exit(main()) > ... > 2018-10-11 13:55:47.713 4825 ERROR nova File "/usr/lib/python2.7/site-packages/nova/utils.py", line 272, in execute > 2018-10-11 13:55:47.713 4825 ERROR nova return processutils.execute(*cmd, **kwargs) > 2018-10-11 13:55:47.713 4825 ERROR nova File "/usr/lib/python2.7/site-packages/oslo_concurrency/processutils.py", line 342, in execute > 2018-10-11 13:55:47.713 4825 ERROR nova cmd=sanitized_cmd) > 2018-10-11 13:55:47.713 4825 ERROR nova ProcessExecutionError: Unexpected error while running command. > 2018-10-11 13:55:47.713 4825 ERROR nova Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c > 2018-10-11 13:55:47.713 4825 ERROR nova Exit code: 1 > 2018-10-11 13:55:47.713 4825 ERROR nova Stdout: u'' > 2018-10-11 13:55:47.713 4825 ERROR nova Stderr: u'sudo: PAM account management error: Authentication service cannot retrieve authentication info\n' in audit.log is visible about 65 entries like: > type=AVC msg=audit(1539280257.488:1159): avc: denied { execute } for pid=1782 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4531529 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): this happens on two osp versions, OSP8: > openstack-selinux.noarch 0.8.14-15.el7ost @rhelosp-8.0-puddle > selinux-policy.noarch 3.13.1-229.el7 @rhelosp-rhel-7.6-server and in case of OSP9: > openstack-selinux.noarch 0.8.14-15.el7ost @rhelosp-9.0-puddle > selinux-policy.noarch 3.13.1-229.el7 @rhelosp-rhel-7.6-server How reproducible: always Steps to Reproduce: 1. on rhel-7.6 machine add RHOSP-8 repositories 2. install python-tripleoclient 3. openstack undercloud install Actual results: it fails, and in output there is error about systemctl start nova-api failed Expected results: undercloud installation succeeded without errors
Probably: auth_use_pam(nova_t) init_rw_utmp(nova_t)
https://github.com/redhat-openstack/openstack-selinux/commit/91e66b392ffc44f5c751bf4d6422f4c966f45678
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3435